Re: Using sgid binaries to defend against LD_PRELOAD/ptrace()
Martin Pitt wrote:
> One easy solution that comes to my mind is to install those affected
> programs setgid, and drop the additional group immediately after
> program start with setgid(getgid()). For this we should introduce a
> new static group into base-passwd, like "noptrace", to not abuse
> existing groups and not confuse auditing tools.
excuse my ignorance, but is this the hack it sounds like? If so, I would
not be exactly thrilled to see this sprinkled across the distribution
unless it solves a severe problem and there are no alternatives of
"doing things right", which I am not sure is the care here.
Thomas Viehmann, http://thomas.viehmann.net/